Skip to main content

Posts

Showing posts from July, 2020

Bypassing Windows Defender Antivirus in Windows Server 2016/2019

Summary In this post I will discuss a  Windows Defender Antivirus  bypass I discovered and reported to Microsoft on May 26th 2020. The bypass affects the current versions of Windows Defender deployed with Windows Server 2016/2019, where the Web Server role is installed. This post focuses on the road I took to get to the bypass as well, so for the TL;DR go to " Bypassing Windows Defender Antivirus 2016 using automatic exclusions"  section. Setting the stage I recently worked on a penetration test for an asp.net application. The setup was pretty standard for a small asp.net application, it was deployed in amazon AWS with a web tier and database tier. The web tier, where the application lived was configured on a Windows 2016 server with the Web Server role installed. This asp.net application integrated with a much larger suite of applications deployed in the same amazon AWS environment (14 other windows servers).  Below i've generated some screenshots from some test systems